Hi all,
I have take over a stunnel install and all the clients certs have expired.
I have been trying for the past 2 days to get the new step up to work but no such luck.
Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel 4.05:
2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from XXX.XXX.XXX.XX:1414 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal: certificate unknown 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
And here is the output on the client side:
005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7 31 Dec2002 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null) 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1, /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXX/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I have created the certs on both server and client according to the documents at http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
I have the cacert.pem file on the cleint side, I have c_hashed the cert file on the server side. Do I need to out the c_hash of the server side cert on the client as well?
Is there something I have missed? Any ideas as to what I can check to see where the issue is?
I am desperate, any help would be greatly appreciated.
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail rhouston@rlhc.net /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
Update:
I have turned on debugging in the client side and have fund the following errors:
2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server hello A 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER CERT/CN=XXXX/emailAddress=sysadminXXXX 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)
Any ideas?
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail rhouston@rlhc.net /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
Richard Houston said:
Hi all,
I have take over a stunnel install and all the clients certs have expired.
I have been trying for the past 2 days to get the new step up to work but no such luck.
Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel 4.05:
2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from XXX.XXX.XXX.XX:1414 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal: certificate unknown 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
And here is the output on the client side:
005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7 31 Dec2002 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null) 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1, /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXX/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I have created the certs on both server and client according to the documents at http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
I have the cacert.pem file on the cleint side, I have c_hashed the cert file on the server side. Do I need to out the c_hash of the server side cert on the client as well?
Is there something I have missed? Any ideas as to what I can check to see where the issue is?
I am desperate, any help would be greatly appreciated.
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail rhouston@rlhc.net /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Richard
Verify=3 means stunnel server checks subject part in client certificate, so you need to put each client certificate file in your stunnel server with certain way.
Try to use verify=2, that only checks ca cert portion.
regards taka On Thu, 17 Mar 2005 13:13:05 -0600 (CST), Richard Houston rhouston@rlhc.net wrote:
Update:
I have turned on debugging in the client side and have fund the following errors:
2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server hello A 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER CERT/CN=XXXX/emailAddress=sysadminXXXX 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)
Any ideas?
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail rhouston@rlhc.net /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
Richard Houston said:
Hi all,
I have take over a stunnel install and all the clients certs have expired.
I have been trying for the past 2 days to get the new step up to work but no such luck.
Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel 4.05:
2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from XXX.XXX.XXX.XX:1414 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal: certificate unknown 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
And here is the output on the client side:
005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7 31 Dec2002 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null) 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1, /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXX/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I have created the certs on both server and client according to the documents at http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
I have the cacert.pem file on the cleint side, I have c_hashed the cert file on the server side. Do I need to out the c_hash of the server side cert on the client as well?
Is there something I have missed? Any ideas as to what I can check to see where the issue is?
I am desperate, any help would be greatly appreciated.
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail rhouston@rlhc.net /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi there,
Tried dropping the client and server to verify=2 and still get the same issue. Still getting this error: error=unable to get local issuer certificate:
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail rhouston@rlhc.net /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
ikeda@areabe said:
Hi Richard
Verify=3 means stunnel server checks subject part in client certificate, so you need to put each client certificate file in your stunnel server with certain way.
Try to use verify=2, that only checks ca cert portion.
regards taka On Thu, 17 Mar 2005 13:13:05 -0600 (CST), Richard Houston rhouston@rlhc.net wrote:
Update:
I have turned on debugging in the client side and have fund the following errors:
2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server hello A 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER CERT/CN=XXXX/emailAddress=sysadminXXXX 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)
Any ideas?
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail rhouston@rlhc.net /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
Richard Houston said:
Hi all,
I have take over a stunnel install and all the clients certs have expired.
I have been trying for the past 2 days to get the new step up to work but no such luck.
Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel 4.05:
2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from XXX.XXX.XXX.XX:1414 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal: certificate unknown 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
And here is the output on the client side:
005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7 31 Dec2002 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null) 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1, /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXX/emailAddress=sysadmin@XXXX 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I have created the certs on both server and client according to the documents at http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
I have the cacert.pem file on the cleint side, I have c_hashed the cert file on the server side. Do I need to out the c_hash of the server side cert on the client as well?
Is there something I have missed? Any ideas as to what I can check to see where the issue is?
I am desperate, any help would be greatly appreciated.
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail rhouston@rlhc.net /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Richard,
On Thu, 17 Mar 2005, Richard Houston wrote:
I have take over a stunnel install and all the clients certs have expired.
I didn't read anywhere in your logs the certs had expired ;).
Could you please send over the config of both your server and your client? It's probably something simple but looks like you made errors in both configs.
Jan
Jan Meijer said:
Hi Richard,
On Thu, 17 Mar 2005, Richard Houston wrote:
I have take over a stunnel install and all the clients certs have expired.
I didn't read anywhere in your logs the certs had expired ;).
Could you please send over the config of both your server and your client? It's probably something simple but looks like you made errors in both configs.
Jan
Hi Jan,
I have replace the keys alreay. These are new keys altogether.
Here is the configs as requested:
Server:
cert = /etc/stunnel/server.pem #chroot = /usr/local/var/run/stunnel/ # PID is created inside chroot jail pid = /tmp/stunnel.pid setuid = nobody #setgid = nogroup foreground = no
# Workaround for Eudora bug #options = DONT_INSERT_EMPTY_FRAGMENTS
# Authentication stuff verify = 333 # don't forget about c_rehash CApath # it is located inside chroot jail: #CApath = /etc/stunnel/certs # or simply use CAfile instead: CAfile = /etc/stunnel/cacert.pem
# Some debugging stuff debug = 7 output = /var/log/stunnel.log
# Use it for client mode #client = yes
# Service-level configuration
[school4] accept = XX.XXX.XXX.XXX:443 connect = 10.10.10.12:23 TIMEOUTidle = 3600
Client:
CApath=c:\stunnel #cert=c:\stunnel\traf-test.pem client = yes verify = 2 debug=7
[schools] accept = 23 connect = XX.XXXX.XX.XX:443
Thanks for the help!
On Thu, 17 Mar 2005, Richard Houston wrote:
I have replace the keys alreay. These are new keys altogether.
It's not the keys that are wrong, they're in the wrong places. The verify failure indicates just that: both server and client have problems verifying the authenticity of oneanother.
Now try this.
At the server side:
-change verify in '=2'
At the client side:
Make sure the client certificate is not commented out as it looks like in your config:
CApath=c:\stunnel #cert=c:\stunnel\traf-test.pem
Without a certificate at the client side there's no way the client will ever authenticate to your 'verify = 2' server.
Secondly; remove the 'CAPath' directive from your client configuration and add the 'CAfile = /etc/stunnel/cacert.pem' to it. Do make sure you copy the cacert.pem to your client ;).
I trust you did not include the private key of your CA in cacert.pem ;).
Let me know what happens.
Jan
K, error are a bit deferent this time.....
Server:
2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: ok 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 13:58:00 LOG7[13122:3086949296]: waitforsocket: ok 2005.03.17 13:58:00 LOG4[13122:3086949296]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=XXXX_XXXX_XXXX/CN=XXXXXXXXXX/emailAddress=sysadmin@XXXX 2005.03.17 13:58:00 LOG7[13122:3086949296]: SSL alert (write): fatal: bad certificate 2005.03.17 13:58:00 LOG3[13122:3086949296]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2005.03.17 13:58:00 LOG7[13122:3086949296]: school4 finished (0 left)
Client: 2005.03.17 13:02:46 LOG7[768:1148]: remote connect #1: EWOULDBLOCK: retrying 2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: FD=688, DIR=write 2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: ok 2005.03.17 13:02:46 LOG7[768:1148]: remote connect #2: EINVAL: ok 2005.03.17 13:02:46 LOG7[768:1148]: Remote FD=688 initialized 2005.03.17 13:02:46 LOG7[768:1148]: SSL state (connect): before/connect initialization 2005.03.17 13:02:46 LOG7[768:1148]: SSL state (connect): SSLv3 write client hello A 2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: FD=688, DIR=read 2005.03.17 13:02:49 LOG7[768:1148]: waitforsocket: ok 2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server hello A 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXXXXXXXX/emailAddress=sysadmin@XXXXXXX 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)
What should I check next? Is it possible I screwed up making the certs?
Thanks again for you continued help.
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail rhouston@rlhc.net /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
Jan Meijer said:
On Thu, 17 Mar 2005, Richard Houston wrote:
I have replace the keys alreay. These are new keys altogether.
It's not the keys that are wrong, they're in the wrong places. The verify failure indicates just that: both server and client have problems verifying the authenticity of oneanother.
Now try this.
At the server side:
-change verify in '=2'
At the client side:
Make sure the client certificate is not commented out as it looks like in your config:
CApath=c:\stunnel #cert=c:\stunnel\traf-test.pem
Without a certificate at the client side there's no way the client will ever authenticate to your 'verify = 2' server.
Secondly; remove the 'CAPath' directive from your client configuration and add the 'CAfile = /etc/stunnel/cacert.pem' to it. Do make sure you copy the cacert.pem to your client ;).
I trust you did not include the private key of your CA in cacert.pem ;).
Let me know what happens.
Jan
Hi Richard,
On Thu, 17 Mar 2005, Richard Houston wrote:
K, error are a bit deferent this time.....
2005.03.17 13:58:00 LOG4[13122:3086949296]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=XXXX_XXXX_XXXX/CN=XXXXXXXXXX/emailAddress=sysadmin@XXXX
This error states the server is unable to find the CA certificate that issued the client certificate.
This client-error:
2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXXXXXXXX/emailAddress=sysadmin@XXXXXXX
basically says the same.
Just wondering: you *do* have a CA right? Not that you definately need one, that kinda depends on your setup. Point is that as you configured your setup with a CA the client- and server-certificate need to be issued by that CA.
Jan
-
ikeda@areabe -
Jan Meijer -
Richard Houston